Data Compliance Policy
Version 2.0 | Effective Date: April 1, 2026 | Last Updated: March 2026
1. Overview
KnitTrace is a B2B SaaS platform for the Indian textile industry, operated by Time In Software. This document defines how we collect, process, store, and protect user data in compliance with India's data privacy regulations. It supplements our Privacy Policy with technical and regulatory detail.
Applicable Regulation
| Country | Regulation | Key Requirements |
|---|---|---|
| India | Digital Personal Data Protection Act (DPDPA) 2023 | Consent, data localization, breach notification 72 hrs |
2. Data We Collect
2.1 Categories of Personal Data
| Category | Data Fields | Purpose | Legal Basis |
|---|---|---|---|
| Account Data | Full name, email, password (hashed via bcrypt) | Account creation, authentication | Contract performance |
| Business Data | Company name, GST/Tax ID, address, phone, contact email, business type, verification tier | Company onboarding, identity verification, tax compliance | Contract performance + Legal obligation |
| Configuration Data | Top role, knitting types, production modes, billing period preference | Service configuration, subscription management | Contract performance |
| Production Data | Order details, quantities, timestamps, stage logs, machine assignments | Core traceability service | Contract performance |
| Location Data | Factory lat/lng (production units) | Factory mapping | Legitimate interest + Consent |
| Financial Data | Subscription plan, billing period, billing history, payment transaction IDs, Razorpay subscription ID | Billing and subscription management | Contract performance |
| Communication Data | Chat messages, RFQ content, support tickets | P2P messaging, marketplace, support | Contract performance |
| Usage Data | Activity logs, login timestamps, IP addresses, device info | Security monitoring, anomaly detection | Legitimate interest |
| Media Data | Company logos, gallery photos, garment images, DC images | Product showcasing, document verification | Contract performance |
2.2 Data We Do NOT Collect
- Credit card numbers or bank account details (handled entirely by Razorpay/Stripe)
- Biometric data
- Personal health data
- Political or religious affiliation
- Data from minors (platform is B2B, 18+ only)
3. How We Use Data
| Purpose | Data Used | Retention |
|---|---|---|
| Provide traceability service | Production data, order data | Duration of account + 7 years (tax compliance) |
| Authenticate users | Account data | Duration of account |
| Process payments | Financial data (transaction IDs only) | 7 years (tax/accounting compliance) |
| Manage subscriptions & trials | Plan selection, billing period, trial dates, Razorpay subscription ID | Duration of account + 7 years |
| Textile Passport (public) | Aggregated journey data, company names, city names | Indefinite (public document) |
| Smart notifications | Company capabilities, RFQ criteria | Real-time (not stored) |
| Security monitoring | Activity logs, IP addresses, device fingerprints | 1 year |
| Customer support | Support tickets, chat history | Duration of account + 1 year |
| Analytics (aggregated) | Production volumes, marketplace trends | Indefinite (anonymised) |
4. Data Storage & Security
4.1 Where Data is Stored
| Component | Provider | Region | Encryption |
|---|---|---|---|
| Primary Database | Supabase (AWS) | Mumbai, India (ap-south-1) | AES-256 at rest, TLS in transit |
| File Storage | Supabase Storage (AWS S3) | Mumbai, India | AES-256 at rest, TLS in transit |
| Caching | Upstash Redis | Mumbai, India | TLS in transit |
| CDN | Vercel Edge Network | Global (edge nodes) | TLS in transit |
| Payment Processing | Razorpay (India) / Stripe (Global) | India / US | PCI-DSS Level 1 |
| Resend (AWS SES) | US | TLS in transit |
4.2 Security Measures
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 (Supabase/AWS default) |
| Encryption in transit | TLS 1.3 (all connections) |
| Field-level encryption | pgcrypto on GST numbers, phone numbers, emails |
| Access control | Row Level Security (RLS) on all 24 database tables |
| Authentication | Supabase Auth with bcrypt password hashing |
| Two-Factor Auth | TOTP (mandatory for Admin, optional for Exporter/VI) |
| Session management | Single active session per user, 30-min timeout for sensitive roles |
| Input validation | Zod schema validation on all inputs |
| Rate limiting | Vercel Edge Middleware (100 req/min per IP) |
| DDoS protection | Cloudflare (volumetric attack absorption) |
| File scanning | Magic byte validation on all uploads |
| Audit trail | Immutable activity_logs (append-only, no UPDATE/DELETE) |
| Anomaly detection | Flags suspicious login patterns, bulk exports, rapid API calls |
| API key rotation | Quarterly rotation of Supabase keys |
| Webhook verification | Cryptographic signature validation (Razorpay/Stripe) |
| Backup | Daily automated backups (7-day retention) |
5. Data Transfers
All primary data is stored in India. Limited data is transferred to third-party service providers as described below.
| From > To | Mechanism | Compliance |
|---|---|---|
| India > India | No transfer (primary data stays in Mumbai) | DPDPA compliant |
| India > US | Limited: only email delivery (Resend) and payment processing (Stripe) | Standard contractual terms |
5.1 Data Localization
All data is stored in the Mumbai, India region (ap-south-1), ensuring compliance with India's DPDPA data localization requirements.
6. User Rights
6.1 Rights Available to All Users
| Right | Description | How to Exercise | Response Time |
|---|---|---|---|
| Access | Request a copy of all personal data we hold | Settings > Privacy > Download My Data | 30 days |
| Rectification | Correct inaccurate personal data | Edit Profile / Company Settings | Immediate |
| Erasure | Delete account and all personal data | Settings > Privacy > Delete Account | 30 days |
| Data Portability | Export data in JSON/CSV | Settings > Privacy > Export Data | 30 days |
| Restriction | Restrict processing of personal data | Email timeinsoftware@gmail.com | 30 days |
| Objection | Object to processing based on legitimate interest | Email timeinsoftware@gmail.com | 30 days |
| Withdraw Consent | Revoke previously given consent | Settings > Privacy > Manage Consent | Immediate |
6.2 Additional Rights (India — DPDPA)
Right to nominate — designate a person to exercise your data rights in case of death or incapacity.
7. Data Retention & Deletion
7.1 Retention Schedule
| Data Type | Retention Period | Reason | Deletion Method |
|---|---|---|---|
| Account data | Duration of account | Service provision | Hard delete on account deletion |
| Business/company data | Duration of account | Service provision | Hard delete on account deletion |
| Production logs | 7 years after order completion | Tax/legal compliance (India GST Act) | Auto-delete after 7 years |
| Activity logs | 1 year | Security audit trail | Auto-archive, then delete |
| Chat messages | Duration of account | Communication record | Hard delete on account deletion |
| Financial/billing records | 7 years | Tax/accounting compliance | Auto-delete after 7 years |
| Textile Passports | Indefinite (public documents) | End-consumer transparency | Anonymise company names on account deletion |
| Support tickets | Duration of account + 1 year | Support history | Hard delete |
| Media/files | Duration of account | Service provision | Hard delete from Supabase Storage |
7.2 Account Deletion Process
- User initiates deletion via Settings > Privacy > Delete Account.
- 30-day cooling-off period begins. Account is deactivated, data preserved.
- User can cancel deletion during the cooling-off period.
- After 30 days:
- Delete: profiles, company galleries, chat messages, support tickets, uploaded media
- Anonymise: orders (company name replaced with “Deleted Company”), production logs
- Retain (anonymised): Textile Passports, activity logs (legal requirement)
- Revoke: all auth sessions and API tokens
- Confirmation email sent to registered email.
- Data is irrecoverable after this point.
Restriction: If the user is the sole owner of a company with active subscriptions or pending orders, deletion is blocked until ownership is transferred or orders are completed. Yearly plan financial obligations (see Terms of Service Section 5.2) remain in effect regardless of account deletion.
7.3 Subscription Expiry Data Handling
- If a subscription enters “halted” status due to payment failure, data is retained for 30 days.
- After 30 days without payment resolution, we reserve the right to delete account data with prior email notice.
8. Consent Management
| Action | Consent Type | Required | Revocable |
|---|---|---|---|
| Account creation | Terms of Service + Privacy Policy | Yes (mandatory) | Deleting account |
| Factory location pin (Google Maps) | Location data consent | No (optional) | Yes (clear lat/lng) |
| Marketing emails | Email marketing consent | No (opt-in) | Yes (unsubscribe link) |
| Analytics cookies | Cookie consent | No (opt-in for EU) | Yes (cookie settings) |
| Textile Passport (public) | Public data consent | Yes (per passport) | Yes (toggle is_public off) |
9. Third-Party Data Sharing
9.1 Sub-Processors
| Sub-Processor | Data Shared | Purpose | DPA in Place |
|---|---|---|---|
| Supabase (AWS) | All data | Database, auth, storage, realtime | Yes |
| Vercel | Request logs, IP addresses | Hosting, CDN, Edge Functions | Yes |
| Cloudflare | IP addresses, request headers | DDoS protection, DNS, Turnstile | Yes |
| Upstash | Cached query results (no PII) | Redis caching | Yes |
| Razorpay | Transaction IDs, company names | India payment processing | Yes |
| Stripe | Transaction IDs, company names | International payment processing | Yes |
| Resend (AWS SES) | Email addresses, email content | Transactional emails | Yes |
| GSTZen | GST numbers | GSTIN validation (India only) | Yes |
| Google Maps | Lat/lng coordinates, addresses | Places Autocomplete, Directions | Yes |
9.2 Data We Never Share
- We never sell personal data to third parties.
- We never share production data between competing companies.
- We never provide bulk data access to advertisers.
- We never share individual user behaviour with analytics platforms (only aggregated).
10. Breach Notification
10.1 Notification Timeline (India — DPDPA)
- Authority notification: Within 72 hours to the Data Protection Board of India.
- User notification: Without undue delay via email.
10.2 Breach Response Process
- Detection — Anomaly detection system flags suspicious activity, or security team discovers breach manually.
- Containment (within 1 hour) — Isolate affected systems, revoke compromised credentials, enable Cloudflare “Under Attack” mode if needed.
- Assessment (within 24 hours) — Determine scope, identify affected users and regions, assess risk level.
- Notification (within 72 hours) — Notify relevant data protection authorities. Notify affected users via email.
- Remediation — Fix the vulnerability, enhance monitoring, update security measures.
- Post-Mortem (within 7 days) — Document incident, root cause analysis, preventive measures, update this policy if needed.
11. Cookie Policy
| Cookie | Type | Purpose | Duration | Consent Required |
|---|---|---|---|---|
| sb-access-token | Essential | Supabase auth session | Session | No (essential) |
| sb-refresh-token | Essential | Supabase auth refresh | 7 days | No (essential) |
| theme | Functional | Light/Dark mode preference | 1 year | No (functional) |
| cf_clearance | Essential | Cloudflare Turnstile bot check | 30 min | No (security) |
KnitTrace does not use advertising cookies, tracking pixels, or third-party analytics cookies.
12. Children's Privacy
KnitTrace is a B2B platform designed for business use only. We do not knowingly collect data from anyone under 18 years of age. If we discover that a minor has created an account, we will immediately delete it and all associated data.
13. Policy Updates
- This policy is reviewed quarterly and updated as needed.
- Material changes are communicated via email to all registered users 30 days before taking effect.
- Continued use of the platform after the effective date constitutes acceptance.
- Previous versions are archived and available upon request.
14. Contact
For all compliance, privacy, and security inquiries:
Email: timeinsoftware@gmail.com
Phone: +91 88708 72911
Registered Address:Time In Software
B2, 4F1, Parsn Antara, Nanjundapuram Road,
Ramanthapuram, Coimbatore, Tamil Nadu, 641036
India
Website: timeinsoftware.com